Monday, December 21, 2020

Keeping Faith

Nothing good can come of the confrontation between good faith and bad faith engagement. ... Indeed, pursuing good faith engagement with bad faith actors only enables and fuels this corrosive, anti-civic behavior.

- Josh Marshall

This week's featured post is "Beware of Bad Faith". Next week I'll resume the tradition of the Yearly Sift and announce a theme of the year.

This week everybody was talking about the Russian hack

Ars Technica describes the hack like this:

SolarWinds is the maker of a nearly ubiquitous network management tool called Orion. A surprisingly large percentage of the world’s enterprise networks run it. Hackers backed by a nation-state—two US senators who received private briefings say it was Russia—managed to take over SolarWinds’ software build system and push a security update infused with a backdoor. SolarWinds said about 18,000 users downloaded the malicious update.

So basically, major corporations and government agencies were hacked via an organization that they trusted to keep them safe from hackers. Wired summed up:

Any customer that installed an Orion patch released between March and June inadvertently planted a Russian backdoor on their own network.

So, ironically, IT departments that fell months behind on installing patches -- a lot of them, according to Wired -- escaped. Not all of the 18K users who installed the back door were the targets, though. Ars Technica:

the tiniest of slivers—possibly as small as 0.2 percent—received a follow-on hack that used the backdoor to install a second-stage payload. The largest populations receiving stage two were, in order, tech companies, government agencies, and think tanks/NGOs. The vast majority—80 percent—of these 40 chosen ones were located in the US.

Again, Wired puts this in simple terms:

This means there are really three subgroups within the potential victims of these attacks: Orion users who installed the backdoor but were never otherwise exploited; victims who had some malicious activity on their networks, but who ultimately weren't appealing targets for attackers; and victims who were actually deeply compromised because they held valuable data.

"If they didn't exfiltrate data, it’s because they didn’t want it," says Jake Williams, a former NSA hacker and founder of the security firm Rendition Infosec.

So the obvious question is: What did they want?

Identifying exactly what was taken is challenging and time consuming. For example, some reports have indicated that hackers breached critical systems of the Department of Energy's National Nuclear Security Administration, which is responsible for the US nuclear weapons arsenal. But DOE spokesperson Shaylyn Hynes said in a statement late Thursday that while attackers did access DOE "business networks," they did not breach "the mission-essential national security functions of the Department."

Let me make a layman's guess about what that means: They didn't steal our nuclear secrets, but they got a lot personal information about people who could steal our nuclear secrets.

One thing the hackers wanted was an opportunity to hide their malware inside of other software companies' products. Josephine Wolff writes in Slate:

Even more worrisome is the fact that the attackers apparently made use of their initial access to targeted organizations, such as FireEye and Microsoft, to steal tools and code that would then enable them to compromise even more targets. After Microsoft realized it was breached via the SolarWinds compromise, it then discovered its own products were then used “to further the attacks on others,” according to Reuters.

This means that the set of potential victims is not just (just!) the 18,000 SolarWinds customers who may have downloaded the compromised updates, but also all of those 18,000 organizations’ customers, and potentially the clients of those second-order organizations as well—and so on. So when I say the SolarWinds cyberespionage campaign will last years, I don’t just mean, as I usually do, that figuring out liability and settling costs and carrying out investigations will take years (though that is certainly true here). The actual, active theft of information from protected networks due to this breach will last years.

Ominously, the government's Cybersecurity & Infrastructure Security Agency (CISA) warns that we might not know the full extent of the attack yet.

CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform. ... CISA will update this Alert as new information becomes available.

As for who did it, anonymous sources of The Washington Post blame the hack on:

Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service, the SVR


Predictably, Trump downplayed the hack and said that we don't know it was Russia. In other words, he once again said exactly what Putin wants him to say. Incidents like this are why so many people believe Putin has something on Trump. There may or may not be a pee tape, but there's clearly something. Ben Rhodes comments:

Trump stands down on hacking, says nothing about Navalny poisoning, downsizes US military presence in Germany, embraces Russian conspiracy theory about Ukraine and 2016 election, and debases US democracy into a corrupt grift for cronies. Those are Putin's returns just this year.

Trump also incorporated the hack into a new conspiracy theory to deny that he lost the election by seven million votes: Maybe it was China. Maybe they also hit the voting machines.

An aside: On social media, I am now refusing to get into the details of Trump's election conspiracy theories. Instead I simply say this: "There are numerous legitimate venues in which Trump made or could have made his claims: state and local election boards, secretaries of state, state and federal courts. In every case, those officials and judges -- including Republican officials and Trump-appointed judges -- found no reason to challenge Biden's win. It's time for Trump and his followers to accept the reality that he lost legitimately and by a wide margin."


In a discussion of what Microsoft has discovered about the attack, Microsoft President Brad Smith made a oblique criticism of Trump's "America First" foreign policy.

The new year creates an opportunity to turn a page on recent American unilateralism and focus on the collective action that is indispensable to cybersecurity protection.


Mike Pompeo, in contrast to his boss, said this:

This was a very significant effort, and I think it's the case that now we can say pretty clearly that it was the Russians that engaged in this activity.


In the middle of all this, the Pentagon has shut down transition briefings for Biden's people. Acting Defense Secretary Chris Miller claimed it was a mutually agreed upon holiday break, but Biden transition director Yohannes Abraham denies that.

and the transition

The effort to keep Trump in power in spite of the voters gets more and more radical as its more legitimate efforts fail. Recounts didn't work. There was no evidence of massive fraud to show to election boards or state or federal courts. Republican legislatures in swing states couldn't be persuaded to back a Trump power grab. So what does that leave? Violence.

The latest buzz in MAGAland is that Trump should invoke the Insurrection Act to take over the swing states by military force and hold new elections. (In other words: to start an insurrection rather than put one down.) Two criminal allies who benefited from Trump's pardon power, Roger Stone and Michael Flynn, have both suggested this.

It's not going to happen. The military doesn't want that job, and I don't think our generals have some deep personal loyalty to Trump that they're looking for a way to express.

“When you're talking about a group of conspiracy theorists, and others who lack any kind of legal knowledge, they'll just pull that arrow out of their quiver when the rest don’t work,” said Brian Levin, executive director of the Center for the Study of Hate and Extremism at California State University, San Bernardino.

Once you eliminate military violence, the remaining option is yahoos with guns.

“What is the heart of the Second Amendment, pro-militia, anti-government patriot movement? It's the insurrectionist theory of the Second Amendment,” [Levin] said. “It says people can rise up against a tyrannical government. To me, this looks like the last exit on the Jersey Turnpike before we get to that spot.”


We're still waiting on what might be Biden's most important appointment: attorney general. That person is going to have to decide which of the Trump-era corruption cases is worth pursing and how to pursue them. What's in the national interest? What can states like New York handle on their own? Stuff like that.

It's getting lost in this Trump-centered moment, but the new AG is also going to be in the middle of efforts to redefine and reform American policing. There is going to be another George Floyd somewhere, and when there is, will the local community believe in the Biden Justice Department or not? Violence happens when the non-violent avenues for seeking justice seem closed.

and the virus

A second vaccine, this one from Moderna, has been OK'd for use.


We've already hit a glitch in distribution of the Pfizer vaccine. States suddenly heard from the federal government, without explanation, that their expected allocation of doses would drop by 1/3 or more. It seems to be a bureaucratic issue and not a manufacturing problem.


The UK is reporting a new strain of Covid-19 that spreads even faster. It doesn't seem to be any deadlier, though, and so far the belief is that the same vaccines will work.


It looks like a $900 billion Covid relief package will pass soon. I thank the voters of Georgia for forcing the two Senate runoffs on January 5. Mitch McConnell wants to sabotage the country as Biden takes office, but he needs to be able to argue that his Senate is not completely dysfunctional. So we'll get a too-small package rather than none at all.


As we passed 300,000 deaths this week, the US continues to set records for cases, hospitalizations, and deaths. The Thanksgiving holiday gatherings proved to be every bit as dangerous as public-health officials predicted, and Christmas is shaping up to be even worse.

My best guess: The pandemic will peak in mid-January, and then fall off fairly quickly as spring arrives and the vaccines start to take hold. Some really horrible stuff will happen between then and now, though, because many communities' hospital systems won't be able to handle the strain. In the spring, when the outbreak was centered in New York City, help could be pulled in from elsewhere. This time, there is no "elsewhere".


Whatever stories you have of bad behavior by covidiots, Texas wedding photographers can top you.

and you also might be interested in ...

Believe it or not, Brexit is still a thing. Britain's exit from the EU became official back in January, but there were still details to work out. Those details are still not worked out, and bad things start happening January 1 if they're not.


New reasons to doubt trickle-down economics:

[A] new paper, by David Hope of the London School of Economics and Julian Limberg of King's College London, examines 18 developed countries — from Australia to the United States — over a 50-year period from 1965 to 2015. The study compared countries that passed tax cuts in a specific year, such as the U.S. in 1982 when President Ronald Reagan slashed taxes on the wealthy, with those that didn't, and then examined their economic outcomes.

The conclusion: The tax cuts had virtually no effect on economic growth, but they did increase the incomes of the rich.


An announcement from the United States Space Force:

Today, after a yearlong process that produced hundreds of submissions and research involving space professionals and members of the general public, we can finally share with you the name by which we will be known: Guardians.

Three words sum up everything that needs to be said about our space-faring guardians: I am Groot.


Benjamin Wittes' look back on the Flynn pardon is worth reading. He puts the whole affair in context, notes the judge's skepticism about the government's actions since Barr became attorney general, and concludes:

I doubt, for reasons I won’t detail here, that it could be proved beyond a reasonable doubt to be an obstruction of justice. But I also have little doubt that it was one—that the whole story, taken together, describes a protracted pattern of conduct by the president that was specifically intended to influence the interactions of a key witness with both prosecutors and the courts. ...

He notes Flynn's subsequent airing of the notion that Trump could declare martial law in swing states so that the military could re-do the election, and comments:

The president, in other words, bought not merely Flynn’s non-cooperation with prosecutors. He appears to have bought as well the former intelligence officer’s vociferous and public support for his attempts to undermine the election he lost.

As we look toward the next rounds of pardons, this latter trade may be the fundamental one Trump is seeking to replicate.


I talked about the Dr. Jill controversy in the featured post, but I didn't get around to mentioning this speculation: I'm sure that if she continues teaching English in a community college, it is only a matter of time before Project Veritas puts a student/provocatuer in her class to tape lectures that they can deceptively edit into something scandalous.


Trump's takeover of conservative Christianity has not been completely unopposed. In this post, Pentacostals and Charismatics for Peace and Justice collect 12 Trump-Christian leaders prophesying that Trump would win the election and serve a second term. These were not humble prayers that God might aid their favorite candidate, but proclamations that God had showed them the future.

Since Trump did not win the election and will not serve a second term, it's worth considering the possibilities here.

  • God tricked them. Believing this would challenge standard Christian beliefs about God's character and God's relationship with humanity.
  • They fooled themselves. Maybe they interpreted their own wishful thinking as the voice of God, although the theory that some demon pretended to be God and told them what they wanted to hear is also consistent with many branches of Christian theology. Either way, followers should be leery of any future pronouncements these 12 might make.
  • They lied. In my opinion, this is the most likely option. But I'm cynical.

Most likely, though, these pastors' sheep will not hold them accountable for their error in any way. The preachers will go on speaking in God's name, the gullible will believe them, and the money will keep rolling in. Later, the followers of these charlatans will complain that people like me treat them like they're stupid.

and let's close with something adorable

As we deal with the pandemic and wait for the end of the Trump administration, it's impossible to have too much cuteness in our lives. With that in mind, I offer a new species of greater gliders, who are related to koalas. They live in the Australian bush.

I think that if the new greater gliders handle their marketing rights wisely, they should never lack for eucalyptus again.

No comments: